[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9
enrica at apple.com
enrica at apple.com
Thu Feb 4 21:27:38 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit 3e7811d3343399f1e086e3f2337e4b1e7ce7313f
Author: enrica at apple.com <enrica at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Tue Jan 26 02:07:19 2010 +0000
WebCore: Cleanup unwanted tags after pasting.
https://bugs.webkit.org/show_bug.cgi?id=34148
Reviewed by Darin Adler.
Test: editing/pasteboard/paste-noscript-xhtml.xhtml
* dom/Element.cpp:
(WebCore::Element::setAttributeNS):
* dom/Element.h:
* dom/XMLTokenizer.h:
* dom/XMLTokenizerLibxml2.cpp:
(WebCore::XMLTokenizer::XMLTokenizer):
(WebCore::handleElementNamespaces):
(WebCore::handleElementAttributes):
(WebCore::XMLTokenizer::startElementNs):
(WebCore::XMLTokenizer::endElementNs):
(WebCore::parseXMLDocumentFragment):
* html/HTMLElement.cpp:
(WebCore::HTMLElement::createContextualFragment):
LayoutTests: https://bugs.webkit.org/show_bug.cgi?id=34148
Reviewed by Darin Adler.
* editing/pasteboard/paste-noscript-xhtml-expected.txt: Added.
* editing/pasteboard/paste-noscript-xhtml.xhtml: Added.
* editing/resources/htmlcontent.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@53835 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 4f194a1..86c337a 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-01-25 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ https://bugs.webkit.org/show_bug.cgi?id=34148
+
+ * editing/pasteboard/paste-noscript-xhtml-expected.txt: Added.
+ * editing/pasteboard/paste-noscript-xhtml.xhtml: Added.
+ * editing/resources/htmlcontent.html: Added.
+
2010-01-25 Kent Tamura <tkent at chromium.org>
Reviewed by Darin Adler.
diff --git a/LayoutTests/editing/pasteboard/paste-noscript-xhtml-expected.txt b/LayoutTests/editing/pasteboard/paste-noscript-xhtml-expected.txt
new file mode 100644
index 0000000..97afa8b
--- /dev/null
+++ b/LayoutTests/editing/pasteboard/paste-noscript-xhtml-expected.txt
@@ -0,0 +1,7 @@
+ALERT: hello
+CONSOLE MESSAGE: line 1: ReferenceError: Can't find variable: sayHello
+This test copies the content of an iframe and pastes it in an editable area in an xhtml document and verifies that no script, handlers or javascript urls are copied.
+
+HelloCNNHello
+This is a form
+<button xmlns="http://www.w3.org/1999/xhtml" id="button1" style="width: 100px; ">Hello</button><a xmlns="http://www.w3.org/1999/xhtml" id="anchor1" href="http://www.cnn.com/">CNN</a><a xmlns="http://www.w3.org/1999/xhtml" id="anchor2">Hello</a><iframe xmlns="http://www.w3.org/1999/xhtml" id="iframe1" style="width: 200px; height: 100px; background-color: rgb(204, 238, 238); "></iframe><form xmlns="http://www.w3.org/1999/xhtml" id="form1" style="width: 200px; height: 150px; background-color: rgb(204, 238, 238); ">This is a form</form>
diff --git a/LayoutTests/editing/pasteboard/paste-noscript-xhtml.xhtml b/LayoutTests/editing/pasteboard/paste-noscript-xhtml.xhtml
new file mode 100644
index 0000000..c7b63da
--- /dev/null
+++ b/LayoutTests/editing/pasteboard/paste-noscript-xhtml.xhtml
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<div id="description">
+This test copies the content of an iframe and pastes it
+in an editable area in an xhtml document and verifies that no script, handlers or javascript urls are copied.
+</div>
+<iframe id="iframe1" src="../resources/htmlcontent.html" onload="foo()"></iframe>
+<div id="pastehere" contenteditable="true"></div>
+<ul id="console"></ul>
+<script>
+if (window.layoutTestController)
+ window.layoutTestController.dumpAsText();
+
+if (window.layoutTestController)
+ window.layoutTestController.waitUntilDone();
+
+function foo() {
+ var frame = frames[0];
+ var sel = frame.getSelection();
+ var doc = frame.document;
+ sel.setPosition(doc.body, 0);
+ doc.execCommand("SelectAll");
+ doc.execCommand("Copy");
+
+ var p1 = document.getElementById("pastehere");
+ var s = window.getSelection();
+ s.setPosition(p1, 0);
+ document.execCommand("Paste");
+ log(document.getElementById("pastehere").innerHTML);
+
+ if (window.layoutTestController)
+ window.layoutTestController.notifyDone();
+}
+
+function log(str) {
+ var li = document.createElement("li");
+ li.appendChild(document.createTextNode(str));
+ var console = document.getElementById("console");
+ console.appendChild(li);
+}
+</script>
+</html>
diff --git a/LayoutTests/editing/resources/htmlcontent.html b/LayoutTests/editing/resources/htmlcontent.html
new file mode 100644
index 0000000..c7e385c
--- /dev/null
+++ b/LayoutTests/editing/resources/htmlcontent.html
@@ -0,0 +1,15 @@
+<script>
+function sayHello()
+{
+ alert("Hello");
+}
+if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+</script>
+<body>
+<button id="button1" onclick="sayHello()" ondblclick="sayHello()" style="width: 100px;">Hello</button><a id="anchor1" href="http://www.cnn.com">CNN</a><a id="anchor2" href="javascript:sayHello()">Hello</a>
+<script style="display: block; position: fixed; top: 4000px">alert('hello');</script>
+<script src="../editing.js" style="display: block; position: fixed; top: 4000px"></script>
+<iframe id="iframe1" src="javascript:sayHello()" style="width: 200px; height: 100px; background-color:#cee;"></iframe>
+<form id="form1" action="javascript:sayHello()" style="width: 200px; height: 150px; background-color:#cee;">This is a form</form>
+</body>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index a1b7df4..b6bae3d 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2010-01-25 Enrica Casucci <enrica at apple.com>
+
+ Reviewed by Darin Adler.
+
+ Cleanup unwanted tags after pasting.
+ https://bugs.webkit.org/show_bug.cgi?id=34148
+
+ Test: editing/pasteboard/paste-noscript-xhtml.xhtml
+
+ * dom/Element.cpp:
+ (WebCore::Element::setAttributeNS):
+ * dom/Element.h:
+ * dom/XMLTokenizer.h:
+ * dom/XMLTokenizerLibxml2.cpp:
+ (WebCore::XMLTokenizer::XMLTokenizer):
+ (WebCore::handleElementNamespaces):
+ (WebCore::handleElementAttributes):
+ (WebCore::XMLTokenizer::startElementNs):
+ (WebCore::XMLTokenizer::endElementNs):
+ (WebCore::parseXMLDocumentFragment):
+ * html/HTMLElement.cpp:
+ (WebCore::HTMLElement::createContextualFragment):
+
2010-01-25 Steve Falkenburg <sfalken at apple.com>
Reviewed by Simon Fraser.
diff --git a/WebCore/dom/Element.cpp b/WebCore/dom/Element.cpp
index 0ee5147..8b6ee45 100644
--- a/WebCore/dom/Element.cpp
+++ b/WebCore/dom/Element.cpp
@@ -616,7 +616,12 @@ static bool isEventHandlerAttribute(const QualifiedName& name)
{
return name.namespaceURI().isNull() && name.localName().startsWith("on");
}
-
+
+static bool isAttributeToRemove(const QualifiedName& name, const AtomicString& value)
+{
+ return (name.localName().endsWith(hrefAttr.localName()) || name == srcAttr || name == actionAttr) && protocolIsJavaScript(deprecatedParseURL(value));
+}
+
void Element::setAttributeMap(PassRefPtr<NamedNodeMap> list, FragmentScriptingPermission scriptingPermission)
{
document()->incDOMTreeVersion();
@@ -648,7 +653,7 @@ void Element::setAttributeMap(PassRefPtr<NamedNodeMap> list, FragmentScriptingPe
continue;
}
- if ((attributeName.localName().endsWith(hrefAttr.localName()) || attributeName == srcAttr || attributeName == actionAttr) && protocolIsJavaScript(deprecatedParseURL(namedAttrMap->m_attributes[i]->value())))
+ if (isAttributeToRemove(attributeName, namedAttrMap->m_attributes[i]->value()))
namedAttrMap->m_attributes[i]->setValue(nullAtom);
i++;
}
@@ -1153,13 +1158,17 @@ PassRefPtr<Attr> Element::removeAttributeNode(Attr* attr, ExceptionCode& ec)
return static_pointer_cast<Attr>(attrs->removeNamedItem(attr->qualifiedName(), ec));
}
-void Element::setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode& ec)
+void Element::setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode& ec, FragmentScriptingPermission scriptingPermission)
{
String prefix, localName;
if (!Document::parseQualifiedName(qualifiedName, prefix, localName, ec))
return;
QualifiedName qName(prefix, localName, namespaceURI);
+
+ if (scriptingPermission == FragmentScriptingNotAllowed && (isEventHandlerAttribute(qName) || isAttributeToRemove(qName, value)))
+ return;
+
setAttribute(qName, value, ec);
}
diff --git a/WebCore/dom/Element.h b/WebCore/dom/Element.h
index d2b9d4b..facb13d 100644
--- a/WebCore/dom/Element.h
+++ b/WebCore/dom/Element.h
@@ -113,7 +113,7 @@ public:
const AtomicString& getAttributeNS(const String& namespaceURI, const String& localName) const;
void setAttribute(const AtomicString& name, const AtomicString& value, ExceptionCode&);
- void setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode&);
+ void setAttributeNS(const AtomicString& namespaceURI, const AtomicString& qualifiedName, const AtomicString& value, ExceptionCode&, FragmentScriptingPermission = FragmentScriptingAllowed);
const QualifiedName& idAttributeName() const;
diff --git a/WebCore/dom/XMLTokenizer.h b/WebCore/dom/XMLTokenizer.h
index 3bd15c8..ddf7e6f 100644
--- a/WebCore/dom/XMLTokenizer.h
+++ b/WebCore/dom/XMLTokenizer.h
@@ -27,6 +27,7 @@
#include "CachedResourceClient.h"
#include "CachedResourceHandle.h"
+#include "MappedAttributeEntry.h"
#include "SegmentedString.h"
#include "StringHash.h"
#include "Tokenizer.h"
@@ -72,7 +73,7 @@ namespace WebCore {
class XMLTokenizer : public Tokenizer, public CachedResourceClient {
public:
XMLTokenizer(Document*, FrameView* = 0);
- XMLTokenizer(DocumentFragment*, Element*);
+ XMLTokenizer(DocumentFragment*, Element*, FragmentScriptingPermission);
~XMLTokenizer();
enum ErrorType { warning, nonFatal, fatal };
@@ -138,7 +139,7 @@ public:
void endDocument();
#endif
private:
- friend bool parseXMLDocumentFragment(const String& chunk, DocumentFragment* fragment, Element* parent);
+ friend bool parseXMLDocumentFragment(const String&, DocumentFragment*, Element*, FragmentScriptingPermission);
void initializeParserContext(const char* chunk = 0);
@@ -199,6 +200,7 @@ public:
typedef HashMap<String, String> PrefixForNamespaceMap;
PrefixForNamespaceMap m_prefixToNamespaceMap;
SegmentedString m_pendingSrc;
+ FragmentScriptingPermission m_scriptingPermission;
};
#if ENABLE(XSLT)
@@ -206,7 +208,7 @@ void* xmlDocPtrForString(DocLoader*, const String& source, const String& url);
#endif
HashMap<String, String> parseAttributes(const String&, bool& attrsOK);
-bool parseXMLDocumentFragment(const String&, DocumentFragment*, Element* parent = 0);
+bool parseXMLDocumentFragment(const String&, DocumentFragment*, Element* parent = 0, FragmentScriptingPermission = FragmentScriptingAllowed);
} // namespace WebCore
diff --git a/WebCore/dom/XMLTokenizerLibxml2.cpp b/WebCore/dom/XMLTokenizerLibxml2.cpp
index af79519..7bfd0f0 100644
--- a/WebCore/dom/XMLTokenizerLibxml2.cpp
+++ b/WebCore/dom/XMLTokenizerLibxml2.cpp
@@ -548,10 +548,11 @@ XMLTokenizer::XMLTokenizer(Document* _doc, FrameView* _view)
, m_pendingScript(0)
, m_scriptStartLine(0)
, m_parsingFragment(false)
+ , m_scriptingPermission(FragmentScriptingAllowed)
{
}
-XMLTokenizer::XMLTokenizer(DocumentFragment* fragment, Element* parentElement)
+XMLTokenizer::XMLTokenizer(DocumentFragment* fragment, Element* parentElement, FragmentScriptingPermission scriptingPermission)
: m_doc(fragment->document())
, m_view(0)
, m_context(0)
@@ -574,6 +575,7 @@ XMLTokenizer::XMLTokenizer(DocumentFragment* fragment, Element* parentElement)
, m_pendingScript(0)
, m_scriptStartLine(0)
, m_parsingFragment(true)
+ , m_scriptingPermission(scriptingPermission)
{
fragment->ref();
if (m_doc)
@@ -675,7 +677,7 @@ struct _xmlSAX2Namespace {
};
typedef struct _xmlSAX2Namespace xmlSAX2Namespace;
-static inline void handleElementNamespaces(Element* newElement, const xmlChar** libxmlNamespaces, int nb_namespaces, ExceptionCode& ec)
+static inline void handleElementNamespaces(Element* newElement, const xmlChar** libxmlNamespaces, int nb_namespaces, ExceptionCode& ec, FragmentScriptingPermission scriptingPermission)
{
xmlSAX2Namespace* namespaces = reinterpret_cast<xmlSAX2Namespace*>(libxmlNamespaces);
for (int i = 0; i < nb_namespaces; i++) {
@@ -683,7 +685,7 @@ static inline void handleElementNamespaces(Element* newElement, const xmlChar**
String namespaceURI = toString(namespaces[i].uri);
if (namespaces[i].prefix)
namespaceQName = "xmlns:" + toString(namespaces[i].prefix);
- newElement->setAttributeNS(XMLNSNames::xmlnsNamespaceURI, namespaceQName, namespaceURI, ec);
+ newElement->setAttributeNS(XMLNSNames::xmlnsNamespaceURI, namespaceQName, namespaceURI, ec, scriptingPermission);
if (ec) // exception setting attributes
return;
}
@@ -698,7 +700,7 @@ struct _xmlSAX2Attributes {
};
typedef struct _xmlSAX2Attributes xmlSAX2Attributes;
-static inline void handleElementAttributes(Element* newElement, const xmlChar** libxmlAttributes, int nb_attributes, ExceptionCode& ec)
+static inline void handleElementAttributes(Element* newElement, const xmlChar** libxmlAttributes, int nb_attributes, ExceptionCode& ec, FragmentScriptingPermission scriptingPermission)
{
xmlSAX2Attributes* attributes = reinterpret_cast<xmlSAX2Attributes*>(libxmlAttributes);
for (int i = 0; i < nb_attributes; i++) {
@@ -709,7 +711,7 @@ static inline void handleElementAttributes(Element* newElement, const xmlChar**
String attrURI = attrPrefix.isEmpty() ? String() : toString(attributes[i].uri);
String attrQName = attrPrefix.isEmpty() ? attrLocalName : attrPrefix + ":" + attrLocalName;
- newElement->setAttributeNS(attrURI, attrQName, attrValue, ec);
+ newElement->setAttributeNS(attrURI, attrQName, attrValue, ec, scriptingPermission);
if (ec) // exception setting attributes
return;
}
@@ -777,7 +779,7 @@ void XMLTokenizer::startElementNs(const xmlChar* xmlLocalName, const xmlChar* xm
}
ExceptionCode ec = 0;
- handleElementNamespaces(newElement.get(), libxmlNamespaces, nb_namespaces, ec);
+ handleElementNamespaces(newElement.get(), libxmlNamespaces, nb_namespaces, ec, m_scriptingPermission);
if (ec) {
stopParsing();
return;
@@ -787,7 +789,7 @@ void XMLTokenizer::startElementNs(const xmlChar* xmlLocalName, const xmlChar* xm
if (jsProxy && m_doc->frame()->script()->canExecuteScripts())
jsProxy->setEventHandlerLineNumber(lineNumber());
- handleElementAttributes(newElement.get(), libxmlAttributes, nb_attributes, ec);
+ handleElementAttributes(newElement.get(), libxmlAttributes, nb_attributes, ec, m_scriptingPermission);
if (ec) {
stopParsing();
return;
@@ -830,6 +832,13 @@ void XMLTokenizer::endElementNs()
Node* n = m_currentNode;
n->finishParsingChildren();
+ if (m_scriptingPermission == FragmentScriptingNotAllowed && n->isElementNode() && toScriptElement(static_cast<Element*>(n))) {
+ popCurrentNode();
+ ExceptionCode ec;
+ n->remove(ec);
+ return;
+ }
+
if (!n->isElementNode() || !m_view) {
popCurrentNode();
return;
@@ -1381,12 +1390,12 @@ void XMLTokenizer::resumeParsing()
end();
}
-bool parseXMLDocumentFragment(const String& chunk, DocumentFragment* fragment, Element* parent)
+bool parseXMLDocumentFragment(const String& chunk, DocumentFragment* fragment, Element* parent, FragmentScriptingPermission scriptingPermission)
{
if (!chunk.length())
return true;
- XMLTokenizer tokenizer(fragment, parent);
+ XMLTokenizer tokenizer(fragment, parent, scriptingPermission);
CString chunkAsUtf8 = chunk.utf8();
tokenizer.initializeParserContext(chunkAsUtf8.data());
diff --git a/WebCore/html/HTMLElement.cpp b/WebCore/html/HTMLElement.cpp
index c4253f5..d3a7f22 100644
--- a/WebCore/html/HTMLElement.cpp
+++ b/WebCore/html/HTMLElement.cpp
@@ -287,7 +287,7 @@ PassRefPtr<DocumentFragment> HTMLElement::createContextualFragment(const String
if (document()->isHTMLDocument())
parseHTMLDocumentFragment(html, fragment.get(), scriptingPermission);
else {
- if (!parseXMLDocumentFragment(html, fragment.get(), this))
+ if (!parseXMLDocumentFragment(html, fragment.get(), this, scriptingPermission))
// FIXME: We should propagate a syntax error exception out here.
return 0;
}
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list